CVE-2022-48805: net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
In the Linux kernel, the following vulnerability has been resolved:
net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
ax88179_rx_fixup() contains several out-of-bounds accesses that can be
triggered by a malicious (or defective) USB device, in particular:
- The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds,
causing OOB reads and (on big-endian systems) OOB endianness flips.
- A packet can overlap the metadata array, causing a later OOB
endianness flip to corrupt data used by a cloned SKB that has already
been handed off into the network stack.
- A packet SKB can be constructed whose tail is far beyond its end,
causing out-of-bounds heap data to be considered part of the SKB's
data.
I have tested that this can be used by a malicious USB device to send a
bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response
that contains random kernel heap data.
It's probably also possible to get OOB writes from this on a
little-endian system somehow - maybe by triggering skb_cow() via IP
options processing -, but I haven't tested that.
Security readout for executives and security teams
Plain-English summary
CVE-2022-48805 is a Linux kernel flaw in the ASIX AX88179/178A USB Ethernet driver. A malicious or faulty USB network adapter can trigger out-of-bounds memory handling and may cause kernel heap data to be exposed in network responses. This mainly matters where untrusted USB devices can be connected.
Executive priority
Prioritize remediation for laptops, shared workstations, labs, and physically accessible systems that allow USB devices. For locked-down servers without USB exposure, urgency is lower but kernel maintenance should still include this fix.
Technical view
The issue is in ax88179_rx_fixup() in the Linux kernel ax88179_178a USB network driver. Improper bounds checks around packet metadata and SKB construction can cause out-of-bounds reads and data corruption. The CVE description states a malicious USB device was tested to leak random kernel heap data via an ICMPv6 Echo Reply.
Likely exposure
Exposure is most likely on Linux systems using the ax88179_178a driver with AX88179/178A USB Ethernet devices. Risk increases on workstations, labs, kiosks, or servers where attackers can attach USB hardware. Remote-only systems without USB device access are less likely exposed.
Exploitation context
The source describes exploitation by a malicious USB device, not remote network traffic alone. It reports tested kernel heap data disclosure and notes possible out-of-bounds writes were suspected but not tested. CISA KEV status is false in the provided bundle, so active exploitation is not established here.
Researcher notes
The CVE record provides detailed root cause in RX fixup bounds handling and SKB construction. Affected version data in the bundle is limited and should be reconciled with distribution kernel backports. No CVSS score, CWE mapping, or public active-exploitation evidence is provided.
Mitigation direction
Update Linux kernels to versions containing the referenced stable fixes.
Follow your Linux distribution’s advisory for patched kernel packages.
Restrict connection of untrusted USB network adapters.
Disable or block the ax88179_178a driver if not required.
Apply physical USB port controls on high-risk systems.
Validation and detection
Inventory Linux systems using USB Ethernet adapters.
Check whether the ax88179_178a driver is present or loaded.
Compare kernel builds against distribution advisories and referenced stable commits.
Confirm patched kernels are installed and running after reboot.
Review endpoint controls for unauthorized USB device attachment.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48805 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.